Kubernetes NGINX Ingress TLS Secrets in All Namespaces

Kubernetes Ingress is a powerful resource that can automate load balancing and SSL/TLS termination. The NGINX Ingress Controller is currently the only supported cloud-agnostic ingress controller for Kubernetes. A single ingress controller can be deployed to the cluster and service requests for all namespaces in a cluster. There is currently an outstanding issue where Ingress resources can only reference TLS secrets within their own namespace:

This can be a problem when a cluster has a wildcard certificate that needs to be used across multiple ingress resources in different namespaces. A prime example is a cluster that is setup to automatically request Let’s Encrypt wildcard certificates. In this blog post, we explain an approach for automatically reflecting TLS secrets to every namespace in the cluster.

Define Variables

Separating configuration from logic is an important first step to staying organized. First, we’ll create a file called vars.env that holds all of the configuration for our resources.

TLS_SECRET: name of the TLS Secret that will be reflected across the cluster

NAMESPACE: the Kubernetes namespace where the TLS Secret is controlled from. The Ingress Certificate Reflector will watch the TLS Secret in this namespace and copy updates to all other namespaces in the cluster.

Setup Ingress Certificate Reflector

The Ingress Certificate Reflector needs permission to list/watch all Namespaces in the cluster and create/get/update/watch the TLS Secret in all Namespaces in the cluster. We’ll create a ServiceAccount, ClusterRole, and ClusterRoleBinding to add these permissions.

The Ingress Cert Reflector has 2 primary functions:

Watch all Namespaces in the cluster. When a new Namespace is added, copy the TLS Secret to it

Watch the TLS Secret. When it changes, copy it to every Namespace

To accomplish this, we’ll create a Deployment with 2 containers: ns-watch and secret-watch

Create a file called ingress-cert-reflector.yml to create these resources: